‘Lies’ Propagates One Truth: No One Can Get a Lock on Net Security
As an editor at a computer publication in the early 1990s, I hired a freelance security expert to evaluate anti-virus software. After extensive testing he faxed the results; unfortunately, the fax went to one of my publication’s direct competitors. His gaffe demonstrated why we will never see fail-safe computer security: human error.
That premise emerged as a central theme of a new book written by the same freelancer, now a leading security expert. “Secrets and Lies: Digital Security in a Networked World” (John Wiley & Sons, 2000, $29.99), by Bruce Schneier, is a compelling brief on the industry’s most obsessive anxiety.
It’s not a story for the faint of heart. Schneier’s scary world makes the Wild West--to which the Internet is often compared--look like kindergarten. (For every gory detail on computer crime, check out “Tangled Web,” by Richard Power; Que, 2000, $25.)
“Secrets and Lies” is well-timed on the heels of an apparently unstoppable wave of security foul-ups, hacks and government surveillance revelations. The best-known attacks--such as the breach of Microsoft’s corporate network revealed last week, disruptions of Yahoo, EBay and other top Web sites early this year, and the “Love Bug” virus, which infected millions of computers--made headlines.
Paranoids have delighted in recent revelations about “Echelon,” the government’s once super-secret system for monitoring worldwide voice and data communications, and the FBI’s “Carnivore” technology, which sniffs millions of supposedly private e-mail messages.
A burgeoning underground of Internet vandals, network nihilists, data thieves and those who probe vulnerabilities as an intellectual exercise begs a scorecard to distinguish “hackers” from “crackers,” “white hats” from “black hats.”
“Script kiddies”--wannabes who use turnkey hacking tools they find posted on the Web--may be emerging as the biggest threat.
Schneier explains the reasons for this grim scenario in simple truths:
* In the hacking wars, technology favors offense over defense.
* Complexity is the enemy of security, and the Internet is the mother of all complex systems.
* Software is buggy. Experts suggest that every 1,000 lines of computer programming code contains between five and 15 mistakes, some of which inevitably open security holes. Consider that Windows 2000 shipped with some 63,000 known bugs and incompatibilities.
* People are often foolish. Early this month the National Institute of Standards and Technology adopted an encryption algorithm (a mathematical formula used to scramble digital data) that it said would take more than 149 trillion years to crack. Then again, if you use your name or the word “password” as a decoding key--typical among lazy computer users--a neophyte hacker would need about five minutes.
Any security scheme can and will be subverted. Little wonder that software licensing agreements specifically disclaim responsibility for the product working as advertised.
It’s not hard to imagine why security software developers would be short on confidence--their products are nearly always developed in a vacuum.
“A common joke from my college physics class was to ‘assume a spherical cow of uniform density,’ ” Schneier writes. “We could only make calculations on idealized systems; the real world was much too complicated for the theory. Digital system security is the same way”--probably reliable in the lab, always vulnerable in the wild.
Part of the problem is that conventional thinking about Internet security is drawn from the physical world, where some kinds of security are “good enough.”
“If you had a great scam to pick someone’s pocket, but it only worked once every hundred thousand tries, you’d starve before you robbed anyone,” Schneier writes. “In cyberspace, you can set your computer to look for the one-in-a-hundred-thousand chance. You’d probably find a couple dozen every day.”
A big part of the solution, he writes, is to recognize that “security is a process, not a product.” Virus-protection software and “firewalls” designed to guard private networks can be effective only as part of a comprehensive strategy about security. This means that network users--as individuals or employees--must understand their role in protecting information--instead of naively relying on software tools to work without human vigilance.
So how to reach people with this geeky material? Schneier, founder of Counterpane Internet Security Inc. in San Jose, peppers the book with lively anecdotes and aphorisms, making it unusually accessible. But I still wouldn’t have judged it suitable for the average reader. So I was astonished to find “Secrets and Lies” recently ranked 68th on Amazon.com’s sales list. Unless all the buyers are hackers, that’s a hopeful sign.
So take Schneier’s good advice, but don’t panic: Like security, fear-mongering is a process. Exploiting that fear has become a growth industry. Hundreds of security companies shamelessly hype every new virus or hacking to pump up business.
Consider that while it’s theoretically possible to bring down much of the Internet with a single orchestrated hack, the most damaging episodes so far have affected only a few sites out of millions. The worst ones, such as Love Bug, though genuinely harmful, fade in a couple of weeks.
Dopey business plans are a bigger threat to the “dot-com” world--and the sale of personal data by marketers a bigger threat to individuals--than hackers will ever be.
*
Connect: Check out other Innovatin columns at https://www.latimes.com/innovation
*
Times staff writer Charles Piller can be reached at charles.piller@latimes.com.
